Introduction

Trojan is a modern, fast VPN/proxy solution that leverages the TLS ecosystem to provide encrypted, stealthy transport. It has become popular among operators who require strong encryption, compatibility with TLS fronting, and minimal fingerprinting. This article provides a practical, step-by-step guide to configuring Trojan with TLS for reliable, production-grade deployments. The focus is on concrete configuration examples, operational best practices, and debugging tips suitable for site administrators, developers, and enterprise users.

Architecture Overview and Design Considerations

Trojan operates as a TCP-based proxy that behaves like standard HTTPS when inspected at layer 7. Its primary security model is TLS with modern cipher suites and a password-based authentication layer. A typical deployment pattern includes:

  • A Trojan server running on a public host, terminating TLS and accepting Trojan protocol connections.
  • An optional reverse proxy or web server (Nginx, Caddy) in front of the Trojan server to host a legitimate website for camouflage and to handle TLS via Let’s Encrypt or another CA.
  • Clients configured with server domain, port, and password. Clients perform TLS handshake and then use the Trojan protocol over the established encrypted channel.

Key design choices:

  • SNI and domain fronting: Use an actual website on the same domain to reduce suspicion and make traffic look like normal HTTPS.
  • ALPN and TLS versions: Prefer TLS 1.3 with appropriate ALPN values (http/1.1, h2) to blend in with normal web traffic.
  • Forward secrecy: Ensure TLS uses ECDHE key exchange and modern ciphers.

Prerequisites

Before installing, prepare the following:

  • A Linux server (Debian/Ubuntu/CentOS) with public IPv4/IPv6 as needed.
  • A domain name (e.g., example.com) with an A/AAAA record pointing to the server.
  • Root or sudo privileges on the server.
  • Ports: TCP 443 (recommended) or another high port. If using a reverse proxy, you only need to expose 443 for TLS.
  • Basic firewall knowledge (ufw/iptables/firewalld) to open required ports.

Install Trojan Server

Trojan is available on GitHub; binary releases and package builds exist. The recommended installation path is to use the official release binary or a package manager if available on your distro.

Example installation (Ubuntu/Debian):

  • Download the latest release: wget https://github.com/trojan-gfw/trojan/releases/download/vX.Y.Z/trojan-linux-amd64.tar.xz
  • Extract and move binary: tar -xf trojan-linux-amd64.tar.xz && sudo mv trojan /usr/local/bin/
  • Create a systemd unit (see below) and configuration file at /etc/trojan/config.json.

Example trojan config.json

Create /etc/trojan/config.json with content similar to:

{
"run_type": "server",
"local_addr": "127.0.0.1",
"local_port": 2083,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"your-strong-password-here"
],
"ssl": {
"cert": "/etc/letsencrypt/live/example.com/fullchain.pem",
"key": "/etc/letsencrypt/live/example.com/privkey.pem",
"cipher": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
"prefer_server_cipher": true,
"sni": "example.com",
"alpn": [
"h2",
"http/1.1"
] },
"websocket": {
"enabled": false
},
"tcp": {
"no_delay": true,
"keepalive": 60
}
}

Notes:

  • local_addr/local_port: Trojan listens locally if you use a reverse proxy in front; the reverse proxy will forward TLS-terminated traffic (via proxy_pass or stream) to this local port.
  • ssl.cert/ssl.key: Point to real certificates (Let’s Encrypt recommended).
  • password: A shared secret used by clients. Use a long, random string and rotate periodically.
  • alpn: Helps the handshake look like ordinary HTTPS. Including h2 and http/1.1 is typical.

Using Nginx or Caddy as a TLS Terminator

Putting a webserver in front of Trojan makes the server appear to be a normal website. You can either:

  • Terminate TLS at Nginx/Caddy and proxy with stream module or TCP to Trojan’s local port.
  • Terminate TLS with Nginx and use a location that serves an actual website while selectively proxying Trojan connections based on SNI/ALPN/paths (SNI-based routing).

Example Nginx stream block (TCP proxy):

stream {
map $ssl_preread_server_name $backend_name {
example.com trojan_backend;
default web_backend;
}

upstream trojan_backend {
server 127.0.0.1:2083;
}

upstream web_backend {
server 127.0.0.1:8080;
}

server {
listen 443;
proxy_pass $backend_name;
ssl_preread on;
}
}

For TLS termination at Nginx (https server): enable normal HTTP server blocks for web traffic, and forward Trojan traffic to the trojan backend using stream/sni matching or ALPN-based heuristics. Caddy simplifies TLS with automatic ACME and central configuration—useful for multi-domain setups.

Obtaining TLS Certificates

Use Let’s Encrypt via Certbot, acme.sh, or Bake-in TLS using Caddy. Example with Certbot:

  • Install certbot: sudo apt install certbot python3-certbot-nginx
  • Obtain cert: sudo certbot certonly --nginx -d example.com
  • Certificates located at /etc/letsencrypt/live/example.com/.

Make sure the cert renewal hooks reload Nginx and the Trojan service if needed:

  • Add post-hook in Certbot: --post-hook "systemctl reload nginx && systemctl restart trojan"

Systemd Unit File and Run Management

Create a systemd service to manage the Trojan process. Example /etc/systemd/system/trojan.service:

[Unit] Description=Trojan Proxy Service
After=network.target

[Service] Type=simple
User=nobody
ExecStart=/usr/local/bin/trojan -c /etc/trojan/config.json
Restart=on-failure
LimitNOFILE=65536

[Install] WantedBy=multi-user.target

Enable and start the service:

  • sudo systemctl daemon-reload
  • sudo systemctl enable --now trojan
  • sudo journalctl -u trojan -f for logs.

Client Configuration

Clients need the domain, port, password, and TLS settings. Most client implementations support Trojan protocol (GUI clients, mobile apps, command-line tools).

Minimal client config (example JSON for a CLI client):

{
"run_type": "client",
"local_addr": "127.0.0.1",
"local_port": 1080,
"remote_addr": "example.com",
"remote_port": 443,
"password": [
"your-strong-password-here"
],
"ssl": {
"verify": true,
"sni": "example.com",
"alpn": [
"h2",
"http/1.1"
],
"fingerprint": ""
}
}

Set the client’s local SOCKS5 proxy to 127.0.0.1:1080 (or chosen port) and configure your applications/system to use the proxy.

Firewall, Ports, and Hardening

Open only necessary ports:

  • Port 443 TCP for TLS (or your chosen public port).
  • SSH on a non-standard port is recommended and protect with key-based auth.

Use UFW example:

  • sudo ufw allow 443/tcp
  • sudo ufw allow ssh
  • sudo ufw enable

Additional hardening:

  • Run Trojan under a low-privilege user.
  • Keep server packages and trojan binary up-to-date.
  • Enable system-level mitigations: fail2ban for SSH, automatic updates for security fixes where appropriate.
  • Monitor logs and set up alerting for suspicious activity.

Troubleshooting and Debugging

Common issues and resolution steps:

  • Certificate errors: Verify certificate paths in trojan config and ensure expiry is in the future (openssl x509 -noout -dates -in fullchain.pem).
  • Handshake failures: Check ALPN and SNI values. Use openssl s_client -connect example.com:443 -servername example.com -alpn h2 to inspect TLS handshake.
  • Proxying mismatch: If using Nginx stream, ensure ssl_preread is enabled and upstream ports match trojan local_port.
  • Connection refused: Confirm Trojan service is running and listening on expected address (ss -tunlp | grep trojan).
  • Intermittent disconnects: Investigate TCP keepalive, firewall connection tracking timeouts, and reverse proxy buffering settings.

Operational Best Practices

For production deployments, consider these recommendations:

  • Use dedicated TLS certificates per domain and automate renewals to avoid downtime.
  • Rotate passwords and credentials on a scheduled cadence. Use a secure vault for storing credentials (HashiCorp Vault, AWS Secrets Manager, etc.).
  • Audit and monitor logs, bandwidth usage, and resource consumption. Set up alerts for unusual spikes or repeated authentication failures.
  • Capacity planning: benchmark concurrent connections and throughput; tune system limits (net.core.somaxconn, fs.file-max) accordingly.
  • Network-level protections: DDoS mitigation and rate limiting at the edge (CDN or cloud provider) help keep services available.

Advanced Topics

Several advanced patterns can enhance stealth and performance:

  • Multiplexing and load balancing: Use a layer 4/7 load balancer to spread client connections across multiple trojan backends.
  • SNI routing with multiple domains: Host multiple domains with legitimate websites and route trojan traffic selectively by SNI to different backends.
  • Obfuscation via HTTP/2 or HTTP/3: While Trojan already mimics HTTPS, pairing with ALPN and real HTTP/2 server behavior makes traffic even harder to distinguish.
  • Traffic shaping: Apply QoS limits and shaping to prevent obvious throughput patterns that might reveal proxy usage.

Conclusion

Configuring Trojan with TLS provides a powerful balance of security, performance, and stealth when compared to traditional proxies. By combining a well-configured Trojan service, strong TLS certificates, and a capable reverse proxy like Nginx or Caddy, you can deploy a robust solution suitable for site operators and enterprise scenarios. Maintain good operational practices—automated certificate renewal, credential rotation, logging, and monitoring—to keep the service secure and reliable.

For more resources, guides, and managed solutions, visit Dedicated-IP-VPN.